Pages

Saturday, February 28, 2015

Both the House and Senate will be in session this week.
There are lots of budget hearings scheduled, but nothing of specific interest
to readers of this blog. There will be four cybersecurity hearings; the most I’ve
seen in a single week. There will also be a hearing on the Chemical Safety
Board and a markup of the RESPONSE Act.

Cybersecurity

The following cybersecurity related hearings will be held in
the House this week:

I don’t expect that there will be any real discussion of
control system security at any of these hearings.

Chemical Safety Board

The House Committee on Oversight and Government Reform will
be holding
a hearing on Wednesday looking at “Rebuilding the Chemical Safety Board:
Finding a Solution to the CSB's Governance and Management Challenges”.

There have been a number of complaints in the federal
government and industry about the increasing political focus of the CSB’s
accident investigation results in recent years. A number of people at OSHA and
the EPA have complained about what some call the strident calls for legislative
and regulatory action from the CSB. I expect that we will hear the same thing
in this hearing.

RESPONSE Act

The Senate Homeland Security and Governmental Affairs
committee will be holding a business
meeting on Wednesday. One of the items on the agenda is a markup of S 546,
a bill that would establish the Railroad Emergency Services Preparedness,
Operational Needs, and Safety Evaluation (RESPONSE) Subcommittee under the
Federal Emergency Management Agency's National Advisory Council to provide
recommendations on emergency responder training and resources relating to
hazardous materials incidents involving railroads. The bill was just introduced
this week, so the speed of this hearing is an indicator of how much interest
there is in the bill.

On the Floor

There is nothing planned for this week in either house that
will be of specific interest to readers of this blog. Of course the 500 lb
gorilla that hangs over this week in Congress is the FY 2015 spending for DHS.
It will be interesting to see if and how the various parties decide to try to
work out their differences. What we have seen so far does not bode well for the
future of the FY 2016 spending bills that have not yet even started to wend
their way through Congress.

Friday, February 27, 2015

For some reason the Congress.gov web site had problems today
making yesterday’s legislation available for viewing. It just finally became
available. There were 96 bills introduced in the House and Senate on Thursday.
Only one appears to be of potential interest to readers of this blog:

The spending bill situation is getting entirely out of
control when an odd congressman (meaning not a member of the appropriations
committee) feels it is necessary to introduce a continuing resolution to fund
just one component agency of DHS. I think we can safely assume that this bill
will get no traction to go anywhere.

Earlier today the Senate adopted a clean version of HR 240
by a vote
of 68 to 31; all 31 nay votes were from conservative Republicans. Just now
the House voted (228 to
191) to disagree with the Senate amendment to HR 240 and to request a
conference. It is unlikely that there will be a resolution to the disagreement
on HR 240 today.

Meanwhile, the House debated HJ Res 35 and is now waiting
for the leadership to call for a vote on that measure that would extend the
current DHS funding until March 19th. The Senate is currently in
recess subject to the call of the Chair waiting to take up either HR 240 or HJ
Res 35.

Today the Animal and Plant Health and Inspection Service
(APHIS) published a notice of availability in today’s Federal Register (80 FR
10661-10662) concerning a new treatment schedule for the use of methyl
bromide as a fumigant on imported figs for external pests.

This new treatment regime adds another to the critical uses
of methyl bromide that will be another block to its elimination from use under the Montreal
Protocol on Substances that Deplete the Ozone Layer (Protocol) and the
Clean Air Act (CAA). It was the promise by the EPA of the elimination of the
use of this toxic inhalation hazard chemical that lead the Department of
Homeland Security to remove methyl bromide from their draft list of DHS chemicals
of interest (COI) under the CFATS program.

While the use of methyl bromide has certainly diminished greatly
since the 2007 COI draft it has not been eliminated. It is still manufactured,
transported and used in the United
States. And, as this notice indicates, its
efficacy as a fumigant almost certainly insures that it will not be eliminated
from commerce in the foreseeable future.

DHS needs to reconsider its delisting of methyl bromide as a
release toxic chemical on its CFATS COI list.

In separate rulemaking activities today the Centers for
Disease Control (CDC) and the Animal and Plant Health Inspection Service
(APHIS) both published advance notices of rulemaking (ANPRMs) in today’s
Federal Register concerning the updating of the Select Agent and Toxins list.
The CDC action (80 FR
10556-10558) and the APHIS action (80 FR 10527)
are both routine biennial reviews mandated by Congress.

There are two separate lists maintained by these agencies
based on separate congressional mandates. The CDC list is specifically
targeting agents and toxins that affect humans while the APHIS list is for
those targeting plants and animals. There is some overlap of the two lists.

The CDC is considering removing six agents from the HHS List
of Select Agents and Toxins:

APHIS is not currently considering the addition or deletion
of any specific agent or toxin from their List of Select Agents or toxins.

Both agencies are soliciting public comments. Comments may
be submitted via the Federal eRulemaking Portal (www.Regulations.gov); CDC comments would
be filed under docket CDC-2015-0006 and APHIS comments under docket APHIS-2014-0095.
Comments for both ANPRMs should be filed by April 28th, 2015.

Thursday, February 26, 2015

This evening the House Rules Committee is meeting to
formulate the rule for the consideration of HJ Res 35, a short term continuing
resolution for the FY 2015 spending for the Department of Homeland Security.
This CR will extend the current DHS funding deadline until March 19th.

The Senate is scheduled to have a series of votes on HR 240,
the FY 2015 DHS spending bill. The final vote will be on an amended version of
the bill that does not have the immigration provisions repealing some of the
actions that the President has recently taken under administrative orders. Once
that version passes in the Senate the House will either have to acquiesce to
those changes or request a conference committee to resolve the differences.

The House Republican leadership is currently unwilling to
agree to the changes in HR 240 and the Senate Democrats have announced that
they would object to a conference, so it is unlikely that a final vote on HR
240 would be able to be completed before midnight tomorrow night when the
current CR deadline runs out.

The two and a half week extension would likely allow the
Senate to finish work on a bill that addresses the immigration issues covered
in the House version of HR 240. Sen. McConnell (R,TN) got Democrats to agree to
allow such a bill to come to the floor in exchange for his bringing a clean
version of HR 240 to the floor. The House Republicans could then pass that bill
to get the immigration issue ‘dealt with’. The pressure would then be off the
Republicans to demand such action in the appropriations bill.

The Committee will almost certainly call for a closed rule
with limited debate to allow the bill to come to a vote tomorrow morning. This
would allow the Senate to take up the bill in the afternoon, effectively
stopping a DHS shutdown.

This afternoon the DHS ICS-CERT published an advisory
for a code injection vulnerability in Network Vision’s IntraVue software. The
vulnerability was reported by Jürgen Bilberger from Daimler TSS Gmbh.. Network
Vision has developed a new version which mitigates the vulnerability, though
there is no indication that Bilberger has had a chance to validate the efficacy
of the fix.

ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to execute arbitrary code on the IntraVue
system. Since this is an industrial Ethernet visualization and control development
tool this vulnerability could conceivably give an attacker virtual network
control.

The changes were made to reflect the passage of HR 4007
during the last session. The only substantive change to date (beyond the
mention of the new CFATS authorization language) is a link to a copy of 6
USC §621 et seq. This is where the new CFATS authorization language is
found. Interestingly the Department had to use a congressional web site for
this link since the GPO
web site for the US Code is not due for the 2014 update for a couple of
months yet.

There is a brief mention of the new expedited approval
process for Tier 3 and Tier 4 facilities that I have previously described
in some detail. No details are provided beyond mentioning that DHS “expects
the guidance to be issued in the summer of 2015”. As I mentioned in an earlier
post, Congress set the deadline for publishing that guidance at 180 days
after passage of HR 4007 which would be July 16th.

I am surprised that DHS does not mention the grandfathering
of existing site security plans (SSPs) in these updated web pages. There has
still not been any official pronouncement about the status of SSPs approved
after December 18th. Those approved before that date will not have to
be renewed for the new CFATS authorization language by congressional mandate.
Plans approved after that date do not have that official protection.

Those of you who follow me on TWITTER or LinkedIn will probably remember
my mentioning a couple of weeks ago that I had been laid-off from my full-time
job. The sharp drop in crude oil pricing has left lots of good people in and
around the oil patch out of work. Now I don’t cover a lot of personal stuff in
this blog, but I am mentioning this because my current job search may have an
effect on the continuation of this blog.

The Blog and
Employers

My last two employers both knew about the existence of this
blog and my sometimes adversarial relationship with a couple of government
agencies. I knew that a number of employers would object to having one of their
employees publicly criticizing agencies that the company would have to deal
with so I was very upfront with both employers about the blog. Neither objected
to me continuing the blog as long as my association with them was not connected
with the blog in any way. That was the reason for my employer being listed as
“Unnamed Chemical Company” on my LinkedIn profile for the last two years.

I realized that if they had objected to my continuing the
blog that I would have had to decide between paying the bills and continuing to
write about chemical safety and security issues. Needless to say keeping a roof
over the wife’s head would take precedence.

As I start the job search process again, I know that this
issue will have to be discussed with any potential employer. Again, if forced
to choose, I know which way that I would have to jump.

Making the Blog Pay

Now I certainly think that I have been providing a valuable
service to both the government and industry (and yes even some advocacy groups)
over the years with this blog. This isn’t just my ego talking (though it does
come into play) as I have been told this by a number of readers from a wide
variety of backgrounds over the last seven plus years of writing this blog.

As I have mentioned on a number of occasions I am a bit of a
chemical safety and security preacher. I enjoy what I am doing and I really
want to continue being a voice of reason and concern in this field. As such I
would like to take this opportunity to officially expand my job search to
include looking for someway to make the Chemical Facility Security News my
official ‘keeping a roof overhead’ job.

Now, I don’t think that there is enough readership associated
with this blog to make attempting to make it a subscription service workable. I
don’t know exactly how many readers I have, but it certainly isn’t large enough
(even if they were all willing to pay for the service) to pay a salary and the
associated overhead of running a subscription web site.

There have been a number of organizations over the last
seven years that have tried to make a go of maintaining a chemical
security/safety web site blog. The only ones that are still around are blogs
run by commercial organizations with the blog and associated web sites
supporting that organization’s operations.

One of the things
that has made my blog popular is the fact that I am not shilling for anyone; my
views are my opinions, not fettered by any commercial agenda. I would like to
maintain that editorial independence if I can. So essentially selling this blog
to some commercial enterprise is probably something that I would only consider
as a last resort.

Another possible option is to obtain some sort of grant
(federal or corporate) money for continuing the blog. I’m not sure how to find
such stuff, but I’ll start looking through the internet. If anyone is aware of
such grant type funding, please let me know.

Separate Freelance
Operation

Another option (and probably the most likely) is to hire my
pen out to others. I have done this for a couple of different sites over the
years; sometimes for pay, sometimes just for exposure. At this point, however,
I think that I need to do it for pay. If anyone knows of a website or
periodical that needs chemical security or safety content please put them in
contact with me.

I have tried this in the past, but most freelance writers
starve. I am in a bit better position as I attempt this now since I have an
already (narrowly) established reputation. I’ll be contacting various editors
that I have come in contact with in the last couple of years, letting them know
that my services are generally available. If anyone is aware of any corporate
interests in need of writing services in this field, please let me know or
provide them with my contact information.

Still Looking for
Process Chemist Job

While writing this blog full time is what I really like to
do, I am not going to stop looking for a process chemist position. I really do
enjoy that work as well and would be a valuable asset to any chemical
manufacturing facility that would employ me. If anyone knows of any such
opportunities please let me know.

With both the House and Senate in session yesterday there
were 61 bills introduced. Seven of those bills may be of specific interest to
readers of this blog:

HR 1022
To amend the Homeland Security Act of 2002 to authorize the use of Urban Area
Security Initiative and State Homeland Security Grant Program funding to
counter violent extremism. Rep. Walker,
Mark [R-NC-6]

HR 1024
To provide for the compensation of furloughed Department of Homeland Security
employees in the event of a lapse in Department of Homeland Security
appropriations, and for other purposes. Rep.
Beyer, Donald S., Jr. [D-VA-8]

S 545 A
bill making continuing appropriations for Coast Guard pay in the event the
Consolidated and Further Continuing Appropriations Act of 2015 expires and the
Department of Homeland Security... Sen.
Thune, John [R-SD]

Three of the bills (HR 1024, S 545, S 554) would ensure that
all or some of the employees affected by a temporary shutdown of the Department
of Homeland Security because of the current spending-immigration squabble would
be paid for their required performance of their duties during the shutdown. If
there is no shutdown of DHS these bills will not go any further than their
introduction. In any case I probably won’t mention these bills again unless
there is something particularly unusual in their wording.

Two bills (HR 1043 and S 546) would set up an advisory
committee (okay subcommittee, but that is probably nothing more than a
technicality) to deal with railroad emergency response matters. This almost
certainly is being considered due to the crude oil train derailments over the
last year or so.

HR 1022 will almost certainly help spread around the Urban
Area Security Initiative and State Homeland Security Grant Program monies, but
probably won’t increase the amount of money available. The new players will
appreciate the move, everyone else will get their funding cut.

Finally, Sen Coats gets the day’s award for the most
meaningless bill title for S 542. We will have to wait and see if it really
means anything.

Tuesday, February 24, 2015

This afternoon the DHS ICS-CERT published three advisories
in control systems from Schneider, Kepware and Software Toolbox.

Schneider Advisory

This advisory
describes a buffer overflow vulnerability in the Schneider Invensys SRD Control
Valve Positioner. The vulnerability was reported by Ivan Sanchez from Nullcode
Team. Schneider has produced a new version of the software that mitigates the
vulnerability, but there is no indication that Sanchez has verified the
efficacy of the fix.

ICS-CERT reports that a local user is required to load a
malformed DLL file before the vulnerability is exploitable. A successful
exploit could result in arbitrary code execution. Schneider reports
that once the DLL file is loaded the vulnerability is remotely exploitable.
They don’t mention anything about loading a ‘malformed DLL file’; it is
apparently a DLL file that is part of the software package.

Kepware Advisory

This advisory
describes a resource exhaustion vulnerability reported by Crain and Sistrunk
(back in December 2013 according to
Adam Crain) in the Kepware DNP Master Driver. Kepware has produced a new
version that mitigates the vulnerability, though there is no indication that
Crain or Sistrunk have verified the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to crash the OPC Server.

The ICS-CERT discussion of the vulnerability appears to
imply that a similar vulnerability might be found in other implementations of
the DNP3 protocol. It notes that there is a DNP3
Application Note addressing the situation.

This looks like it was one of two remaining unresolved DNP3
vulnerabilities listed on the Project
Robus website.

Software Toolbox
Advisory

This advisory is a near duplicate of the Kepware advisory
discussed above except that it involves the Software Toolbox Top Server. If
this is, in fact, the second unresolved DNP3 vulnerability listed on the
Project Robus site, I kind of suspect that these two vendors may be the only
two with this specific implementation issue. Crain-Sistrunk would have looked
for this in other implementations; they are kind of thorough that way.

Sunday, February 22, 2015

The House and Senate will both be back in town this week
after spending some time in their districts. There will be a number of budget
hearings, but only one of specific interest to readers of this blog; the Coast
Guard budget. Cybersecurity will be an additional topic this week as will DHS
performance and domestic terrorism.

Coast Guard Budget

The House Transportation Committee’s Subcommittee on Coast
Guard and Maritime Transportation will be holding a hearing
on Wednesday to look at the President’s budget proposal for Coast Guard
spending in FY 2016. This will almost certainly be a ‘high-level’ review with
little probability of chemical safety or security being mentioned, much less
discussed in any detail.

Cybersecurity
Information Sharing

On Wednesday the House Homeland Security Committee will be
holding a hearing
on “Examining the President’s Cybersecurity Information Sharing Proposal."
Administration witness from DHS will be heard and there will be a report from
the Congressional Research Service (CRS).

Watch the questioning at this hearing to see how close the
two sides are achieving a consensus on the information sharing issue. Pay
careful attention to see if Congress may take a wait and see response to the
President’s actions as a way to avoid action on legislation this year.

DHS Oversight

The House Homeland Security Committee’s Subcommittee on
Oversight and Management Efficiency will be holding a hearing
on Thursday looking at “Assessing DHS’s Performance: Watchdog Recommendations
to Improve Homeland Security.” No witness list has been published, but I
suspect that it will be academics and think tanks.

There is a slight chance that the pending changes to the
CFATS program will be mentioned, but, if it is, there won’t be many details
discussed.

Domestic Terror
Threat

Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations of the House Judiciary Committee will be holding a hearing
on Thursday looking at “ISIL in America:
Domestic Terror and Radicalization.” There is no witness list currently
available.

There might be a passing mention of cybersecurity, but
almost certainly nothing about chemical security.

On The Floor

The 800 lb gorilla this week is the Friday deadline to pass
the FY 2015 spending bill for the Department of Homeland Security. The House
passed HR 240 last month, but the Senate has not been able to overcome
Democratic opposition to the immigration riders to actually be able to start
debate on the measure. At least one more attempt will be made to get cloture on
this bill this week.

There is an interesting indication that the House expects to
see a revised version of HR 240 come back to the House for a vote this week.
The Majority Leader’s web
page mentions ‘possible consideration of HR 240’ later in the week. If the
Senate can’t bring the bill to the floor in that body this week, there may be a
short term continuing resolution coming out of the House.

There is always the possibility, however, that both sides
will expect the other side to get the blame for a shutdown and thus let the
whole matter slide past Friday. Most of DHS will continue working for ‘national
security’ reasons, though it will be ‘without pay’ (back-pay for those that had
to work would probably be included in the final bill that does eventually get
worked out). The CFATS program would not, however, be covered under that
provision. Chemical security inspectors
would not get paid, but they could spend the time with their families.

Thursday, February 19, 2015

This morning the DHS ICS-CERT published another advisory
for twin vulnerabilities in the Siemens SIMATIC STEP 7 TIA Portal. Each
advisory was separately discovered by Quarkslab team and Dmitry Sklyarov with
PT-Security. Siemens has produced a patch to mitigate the vulnerabilities, but
there is no indication that either research team has been given the opportunity
to verify the efficacy of the patch.

● Use of password with insufficient
computational effort - CVE-2015-1602

ICS-CERT reports that it would be moderately difficult to
construct a workable exploit for these two vulnerabilities. Siemens reports
that access to the network path between client and server would be required for
the first vulnerability and access to TIA project files would be required for
the second.

Why Siemens

At some point we have to wonder why we are seeing so many
Siemens advisories. In many cases (but certainly not even most) the answer is
self-reporting and that is a mark of a current commitment to security. But
sooooo many vulnerabilities, surely that is the sign of a basic problem?

Yes, there were certainly problems with the way that most of
these programs were originally written. The mistakes we are seeing seem so
basic now, but that is because we have been seeing them throughout the industry
for the last few years. Siemens is not paying for the mistakes that they and
most of the rest of the industry made back when security was a ‘non-issue’
because control systems were air gapped and so hard to understand.

Siemens is now facing much the same problem that Micrsoft
faced twenty years ago. Because of their size, familiarity and availability,
researchers around the world are taking a hard look at Siemens products,
knowing that they are going to find vulnerabilities. It many not be quite
shooting fish in a barrel, but it is certainly fishing in a freshly stocked
pond.

Many of these researchers are going to start to move on to
the other suppliers in the field using the skills they honed on working on
Siemens gear. There will be more advisories for other vendors and people will
laugh at how easy they were to find; unless the other vendors internalize the
searches and fix them before the researchers find them.

And the Siemens advisories will continue. Siemens makes ever
more complex products; with more and more capabilities. Mistakes will be made.
More importantly researchers (of whatever hat color) are also getting more and
more sophisticated. They will find new types of vulnerabilities that we have
not even thought about yet. Security designers and researchers will continue to
be locked in a war of improving capabilities. And we users; we will be better
for it.

Wednesday, February 18, 2015

As clean up after Monday’s crude oil train derailment in West Virginia begins new
information is starting to become available; some of it contradicts initial reports.
As is typical for chemical related accidents in West Virginia a good source of information
continues to be the Charleston Gazette.

No Water
Contamination

One of the major concerns on Monday was the possible
contamination of drinking water supplies by crude oil spilled into the KanawhaRiver. Early reports indicated that at
least one crude oil tanker was in the river and there were even reports of oil
burning on the river. It turns out that no tankers ended up in the water or
were really even close to the river.

Given last year’s Freedom Industry spill it is
understandable that local residents were concerned about drinking water
contamination. Fortunately, safety procedures put into place after that spill
were immediately implemented. This included shutting off water intakes on the
river down stream of the accident and water testing by the West Virginia
National Guard.

Newer Tank Cars

As with all of these crude oil train accidents initial
concerns were focused on the relatively fragile DOT 111 railcars that make up a
large portion of the crude oil transport fleet. It turns out that the cars
involved in this shipment were the slightly newer CPC 1232 railcars that are
supposed to hold up to derailments better than the older DOT 111 cars.

While we are still waiting on OMB to approve the PHMSA High-Hazard
Flammable Trains final rule, it is interesting to note that last
fall’s NPRM included upgrades to the CPC 1232 railcar design that would
lessen the chance of crude oil discharges in accidents like this. We will have
to wait and see if those changes made it into the final rule (I expect that
they did) and what the timetable will be for their implementation.

Looking at photos
of the derailment it certainly looks like the results of the accident could
have been much worse if these had been DOT 111 cars; particularly if they had
been the older models. One good side of the current cutback in crude oil
production, many of those DOT 111 cars will be among the first idled.

Cause of Accident

We are still way early in the accident investigation process
so it is premature to call out any possible cause of the derailment. I do find
it interesting to look at a close
up picture of a portion of the track where the accident occurred. The track
is severely damaged. What is not clear is if this damage was caused by the
accident or if it was the cause of the derailment. CSX is reporting that the
track had been inspected just last week.

Political Fallout

As with each of these crude oil train derailments there have
been numerous calls for federal action to prevent the derailments and reduce
the possibility of the related spills, fires and explosions. I expect that
there will be added pressure on OMB to quickly approve the PHMSA
rule now under consideration.

As I mentioned earlier Rep. Lofgren (D,CA) introduced HR 726,
the Secure Data Act of 2015. While the bill does not specifically mention
the National Security Agency (NSA) it was obviously written in response to revelations
that the NSA obtained backdoor access to various computer systems and software.
Similar bills (HR
5800 and S 2981) were introduced last year during the close of the 113th
Congress without any subsequent action.

The bill’s requirements are fairly straightforward. It
states that no government agency “may mandate or request that a manufacturer,
developer, or seller of covered products design or alter the security functions
in its product or service to allow the surveillance of any user of such product
or service, or to allow the physical search of such product, by any agency” {§2(a)}.

The one loop hole in this bill that I identified in my
discussion of the bills introduced last year remains in the definition of ‘covered
products’. That term is defined as “any computer hardware, computer software,
or electronic device that is made available to the general public[emphasis
added]” {§2(c)(2)}. It could certainly
be argued that servers and the software for many internet based services are
not ‘available to the general public’.

The bill is careful to ensure that the language does not
interfere with court ordered access to digital communications as authorized
under 47
USC 1001 et seq. Even those provisions prohibit law enforcement agencies
from requiring “any specific design of equipment, facilities, services,
features, or system configurations to be adopted by any provider of a wire or
electronic communication service, any manufacturer of telecommunications
equipment, or any provider of telecommunications support services” {47
USC 1002(b)(1)(A)}.

I suspect that if this bill were to make it to the floor of
the House that it would pass with substantial bipartisan support. The question
is if Lofgren has the political connections to get this bill considered in
either of the two committees to which it has been referred. She is a member of
the Judiciary Committee so I would expect that this would be the first
committee to see any action on this bill.

Tuesday, February 17, 2015

Today the DHS ICS-CERT published an update of a Siemens
advisory from last year, two new Siemens advisories and an advisory for
Yokogawa. Siemens also updated their GNU
Bash advisory but that did not necessitate an update of the ICS-CERT
supplement for that vulnerability.

Siemens Update

As
I predicted ICS-CERT had to issue update ‘G’
to their Siemens OpenSSL Advisory. They did me one better though. They waited
until Siemens published
the notice of the availability of the update for APE V2.0.2 and ROX V2.6.0
with ELAN before they updated the advisory. This should effectively close out
this set of vulnerabilities.

Yokogawa Advisory

This advisory
concerns the HART DTM vulnerability for Yokogawa devices that use the
CodeWrights DTM library. The language in
this advisory is the same as that found in the latest
CodeWrights advisory. The only odd thing about this advisory is that
Yokogawa was not listed as a CodeWrights customer on that earlier advisory. I
wonder how many other vendors will also turn out to be affected.

Note: Both the Yokogawa
advisory and the JP CERT
advisory referenced in the ICS-CERT document are in Japanese. I would have
thought that Yokogawa would have produced an English language version for the US market.

Siemens WinCC TIA
Portal Advisory

This advisory
describes twin authentication vulnerabilities in the Siemens WinCC TIA Portal.
The vulnerabilities were originally reported by Gleb Gritsai, Roman Ilin,
Aleksandr Tlyapov, and Sergey Gordeychik from Positive Technologies. Siemens
has produced a new service pack that mitigates these vulnerabilities, but there
is no indication that the researchers were given the opportunity to verify the
efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to reconstruct passwords or escalate
privileges on the network. Siemens
notes that an exploit of the first vulnerability requires capturing network
traffic of the remote management module.

Siemens WinCC Step 7
TIA Portal Advisory

This advisory
describes twin authentication vulnerabilities in the WinCC Step 7 TIA Portal.
The vulnerabilities were reported by Aleksandr Timorin from Positive
Technologies. Siemens has produced a service pack that mitigates the
vulnerabilities but there is no indication that Timorin has been given the
opportunity to verify the efficacy of the fix.

ICS-CERT reports that an exploit would require a social
engineering attack that could result in remote exploitation of this
vulnerability to reconstruct passwords or gain permission to access the
system. Siemens
notes that the second vulnerability requires local access to the TIA
project file.

As I noted earlier, Rep. Barton (R,TX) introduced HR 702,
a bill to adapt to changing crude oil market conditions (for some reason no
fancy name was included in the language of this bill). The bill would remove
restrictions on the export of coal, petroleum products, natural gas, or
petrochemical feedstocks.

Removing
Export Restrictions

The bill is very short with just four sections. The first
section outlines the ‘congressional findings’ that provide the reasons for the
actions outlined in the bill. Those findings relate to the changing
international oil market and the fact that the United States has drastically
increased its domestic production of crude oil.

The second section of the bill repeals 42
USC 6212. This was passed by Congress in 1979 during the ‘second oil crisis’
and authorized the President to draft regulations to control the exports of “coal,
petroleum products, natural gas, or petrochemical feedstocks” {42 USC 6212(a)(1)}
as well as the supplies, equipment and technology used to “maintain or further
exploration, production, refining, or transportation of energy supplies” {42
USC 6212(a)(2)}. Thus this bill would remove the authorization for any such
regulations. This repeal would potentially affect much more than the export of
just the crude oil mentioned in the congressional findings.

The third section of the bill would reinforce the repeal of §6212
by specifically prohibiting the action of any federal agency to “impose or
enforce any restriction [emphasis added] on the export of crude
oil”. This was done to insure that any export controls not based upon §6212
could not be used to control the export of crude oil.

Unintended
Consequences

This §3 language reflects a general mistrust for the current
administration (and perhaps government in general). Unfortunately the broad
language of this section (starting with the ‘Notwithstanding any other
provision of law’) could potentially be used to justify the avoidance of hazmat
shipping restrictions of crude oil at various stages of the crude oil export
supply chain. Given the problems seen with some of the rail the shipments of
Bakken crude oil, this was probably not the intent of Rep. Barton. But, wide
sweeping language frequently carries unintended consequences.

The
Inevitable Study

Section four of this bill would require the Secretary of
Energy to conduct a study and report to Congress on “on the appropriate size,
composition, and purpose of the Strategic Petroleum Reserve”. The report would
be due to Congress within 120 days of passage of the bill.

Moving
Forward

Given the current world price for oil it is unlikely that
there will be any urgent push for passing this bill. This bill would almost
certainly be able to pass in the House given the Republican majority. Whether
this bill could garner enough Democratic support to overcome a liberal filibuster
in the Senate is another question entirely. Modification of the language in
Section 3 might increase those chances.

NOTE: HR 666,
the earlier version of this bill that was essentially ignored by its author due
to the assigned bill number, has identical language. No one will touch that
bill.

Monday, February 16, 2015

The latest crude oil train derailment just
occurred this afternoon in West Virginia
in KanawhaCounty. As is fairly typical in WV the
railroad track parallels the KanawhaRiver and a number of the
rail cars have apparently ended up in the river. Fires and explosions have been
reported in association with this accident.

The derailment took place upstream of Charleston, WV
which had problems last year with the Freedom
Industries spill. Local news
reports have been very careful to announce that water intakes downstream of
the spill have been closed to avoid contamination of the drinking water systems
with the spilled crude oil.

On Friday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that it had approved the FAA’s notice of proposed rulemaking (NPMR) on the Operation
and Certification of Small Unmanned Aircraft Systems (sUAS). This is the same
ruling that the FAA and the TSA held a joint
media call about yesterday. A draft
of the NPRM is available and will probably be published in the Federal
Register this week.

The sUAS rules would apply to unmanned aircraft that weigh
under 55 lbs. The NPRM would contain a proposal to set a subcategory of micro
UAS category for UAS that weigh under 4.4 lbs. A number of additional
restrictions would apply to both categories of UAS.

An operator of either type UAS would be required to have a
‘unmanned aircraft airman certificate” which would include a requirement for
vetting by the DHS Transportation Security Administration (TSA).

I don’t see anything that would specifically prohibit flying
micro UAS or sUAS over critical infrastructure facilities unless they were
already covered under existing FAA restrictions. I’ll be going into more detail
on this when it is published in the Federal Register.

Friday, February 13, 2015

There were 129 bills introduced in the House and Senate
yesterday. Only one of those may be of specific interest to readers of this
blog:

HR 910 To
amend title 23, United States Code, to provide eligibility under certain
highway programs for projects for the installation of vehicle-to-infrastructure
communication equipment, and for other... Rep.
Miller, Candice S. [R-MI-10]

My main interest in following this bill is to see what sort
of cybersecurity provisions are included.

HR 878 -
To provide for the authorization of border, maritime, and transportation
security responsibilities and functions in the Department of Homeland Security
and the establishment of United States Customs...Rep. Miller, Candice
S. [R-MI-10]

S 456 -
A bill to codify mechanisms for enabling cybersecurity threat indicator sharing
between private and government entities, as well as among private entities, to
better protect information systems. Sen. Carper, Thomas R.
[D-DE]

HR 861 is almost certainly a ‘clean’ FY 2015 appropriations
bill for DHS. Since Rep. Cummings is a Democrat and not on either the
Appropriations Committee nor the Homeland Security Committee this bill has
almost no chance of being considered.

I think that recent press reports about the President’s
cybersecurity bill being introduced in the Senate refer to this bill (almost no
one else reports bill numbers), but according to Sen.
Carper’s press release this bill is a blend of the Administration’s bill
and “insights and advice from our Committee’s hearing on the topic earlier this
month”. According to the release the bill will:

● Authorizes sharing and provides liability
protections;

● Sharing within the government and protection of
information;

● Government to industry sharing and improved
coordination; and

● Builds in strong privacy protections.

The same could be said for a number of information sharing
bills, but the devil is in the details. We’ll have to see what the bill actually
says.

HR 844 and S443 probably have to deal
with the storage of unused crude oil tank cars. With the decreasing
price of crude oil due to the current world oversupply a number of
these cars have been temporarily taken out of service. They have to
be put somewhere and a common place has been unused rail lines in
rural areas. There have been concerns expressed about the safety and
security of such rail cars and I expect that these bills will attempt
to deal with the issue.

Yesterday the DHS ICS-CERT published an
update for a Siemens advisory, a new advisory for an Advantech
product line, and an alert for a Microsoft vulnerability.

Siemens Update

This update
is for an WinCC advisory that was originally
published last November. This update provides notification that
the last affected system (WinCC 7.0 SP 3) now has an update available
to mitigate the vulnerability. Siemens published
their update last week.

Advantech Advisory

This advisory
describes a buffer overflow vulnerability in the Advantech EKI-1200
MODBUS Gateway product line. The vulnerability was originally
reported by Enrique Nissim and Pablo Lorenzzato of the Core Security
Engineering Team in a coordinated disclosure. ICS-CERT reports that
Advantech has a patch that mitigates the vulnerability but there is
no indication that the researchers have validated that fix.

ICS-CERT reports that a relatively
unskilled attacker could remotely exploit this vulnerability to
execute arbitrary code.

Microsoft Alert

This alert
describes a critical security update for the Microsoft Windows
operating systems. The JASBUG
vulnerability was first reported by four different researchers,
including Jeff Schmidt at Global Advisors. Microsoft has produced
an update that mitigates the vulnerability, but there is no
indication that the researchers have been given the opportunity to
verify the efficacy of the update.

ICS-CERT reports that an attacker who
successfully exploited this vulnerability could take complete control
of an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.

ICS-CERT notes that just processing the
update does not fix the vulnerability. Additional
actions need to be taken by the system administrator before the
fix actually mitigates the vulnerability.

Yesterday the folks at DHS
Infrastructure Security Compliance Division (ISCD) updated the CFATS
Knowledge Center. They added a link in the Documentation section
of the page for the February
2012 CFATS Update and removed older copies of the Update.

Interestingly there is still no mention
of the passage of HR 4007 and its potential impact on the CFATS
program.

Tuesday, February 10, 2015

Yesterday the OMB’s Office of Information and
Regulatory Affairs (OIRA) reported that it had received the 2016 Critical Use
Exemption from the Phaseout of Methyl Bromide notice of proposed
rulemaking from the EPA. This is almost a full month earlier than last year’s
rulemaking on this topic.

NOTE 1: For some reason this annual rulemaking did
not make it into the Fall 2014 Unified Agenda.

Sunday, February 8, 2015

Both the House and Senate will be in Washington this
week. There are a number of threat/intel type hearings on the House side of the
Capital and one internet of things (IOT) hearing in the Senate. Other than that,
nothing of potential specific interest to readers of this blog.

Threat/Intel

None of the currently scheduled threat/intelligence
hearings are specifically looking at chemical security. Cybersecurity will be
specifically addressed in one hearing, but there will probably not be any
significant discussion of control system security issues. And, of course, there
will be no actionable threat information discussed; these are all open
hearings. But you never can tell what interesting tidbits might be dropped. The
three hearings are:

On Wednesday the Senate Commerce, Science and
Transportation Committee will be holding
a hearing on The Connected World:
Examining the Internet of Things. This is going to be an anti-regulation
hearing as can be seen by the following statement from Chairman Thune:

“By
engaging early in this debate, Congress can ensure that any government efforts
to protect consumers are tailored for actual problems and avoid regulatory
overreach.”

Since Thune will be one of the controllers of what
cybersecurity legislation will pass in the 114th Congress, the tenor
of his questions during this hearing will provide some valuable insight into
what kind of legislation on cybersecurity issues we might see coming out of his
Committee.

On
the Floor

The Senate will continue to play chicken with HR
240, the FY 2015 DHS spending bill. The Republicans obviously don’t have the
vote to bring the bill to the floor for a vote and the Democrats don’t have the
votes to remove the restrictions on the President’s immigration executive
actions. At some point before the February 27th deadline I expect Majority
Leader McConnell bring a clean bill to the floor which will pass with a close
bipartisan vote.

The House will bring a trio of homeland security
related bills to the floor under suspension of rule. Of specific interest to
readers of this blog will be HR 710. Rep Jackson-Lee’s (D,TX) bill was
introduced last Wednesday and still hasn’t been published by the Government
Printing Office. I suspect that it is a repeat of last session’s HR
3202 which passed
easily in the House but was not taken up by the Senate. It will pass again
this week with large bipartisan support.

The notice
of proposed rulemaking (NPRM) for this rule was published just a little
over six months ago. With the large number
of comments (over 3,000) received on that NPRM it is remarkable that PHMSA
was able to get a final rule to OMB in just over six months. It is, frankly, a
measure of the political pressure the Administration is under to ‘get something
done’ on this issue.

Because of the complexity of the issues involved and
the amount of political pressure on both sides of the issue, there is no
telling how long it will take OMB to clear this final rule for publication. In
the little over two months that OIRA considered the NPRM it held 19
reported meetings with interested parties. I expect that a similar number
will be held during the consideration of this final rule.

Thursday, February 5, 2015

Today the DHS ICS-CERT published two new HART-DTM
related advisories, updated the CodeWrights HART-DTM advisory, updated the NTP
Advisory and published their promised NTP supplement. It was a busy information
afternoon for ICS-CERT.

NTP
Information

The third update
to the ICS-CERT advisory on the NTP vulnerabilities was simply a change to add
a link to the promised supplement addressing vendor specific information about
how those vulnerabilities are implemented in specific products. That Supplement
currently lists affected products (and mitigation measures) from/for the
following vendors:

● Arbiter
Systems;

● Innomoninate;

● Meinberg;

● Siemens; and

● Wind River System;

The Supplement does not currently list reportedly
unaffected products. Updates to this Supplement are expected.

HART-DTM
Information

The third update to the CodeWrights HART-DTM
advisory provides some new information about affected systems, including adding
Honeywell to the list of potentially affected vendors. Interestingly GE-MAKTec
was not included on the list even though ICS-CERT published an advisory about
their HART-DTM vulnerabilities today. The Update has also provided links to ICS-CERT
advisories for Emerson,
Honeywell,
Magnetrol,
and Pepperl+Fuchs.

There is some additional clarification about the
potential impact of successful exploits of this vulnerability. ICS-CERT notes
that it only affects the Field Device Tool (FDT) Frame Application. Since that
application is only used for configuration changes, ICS-CERT reports that a
successful exploit “does not result in loss of information, control, or view by
the control system of the HART devices on the 4-20 mA HART Loop”.

ICS-CERT continues to emphasize how difficult it
would be to craft an exploit for this vulnerability. Interestingly, they have
removed the comments about compromised physical access to the 4 mA to 20 mA
current loop. They emphasize that an exploit is possible from “any adjacent
network that receives or passes packets from the HART Device DTM”.

The new advisories for Pepperel+Fuchs
products and products from GE and MAKTec
(GE provides the DTM software for the MAKTec Bullet Adapter DTM according to a GE
Advisory) provide basically the same information as the current CodeWrights
advisory.

Consistency
of Information Sharing

It seems odd that ICS-CERT is issuing individual
advisories for vendors affected by the HART-DTM vulnerability but issues a
supplement for the advisory that lists those affected by the DTP vulnerability.
In most ways it really does not make a difference which process ICS-CERT uses
and they are under no mandate or obligation to maintain any sort of consistency
in their methodology.

Having said that the multiple advisory process being
used with the HART-DTM vulnerability does present a problem. The two advisories
issued today share the same language as that found in the current version of
the CodeWrights advisory. The Emerson and Magnetrol advisories share the
language with the previous version of the CodeWrights advisory. This means that
ICS-CERT really should have offered updates of those two advisories today as
well. And when the next change takes place, they will have to update all five
advisories (plus any others issued in the interim). Using the DTP
advisory/supplement model, only one advisory needs to be updated when
information on the base vulnerability changes.

HR
710 To require the Secretary of Homeland Security to prepare a
comprehensive security assessment of the transportation security card program,
and for other purposes. Rep.
Jackson Lee, Sheila [D-TX-18]

HR 702 was actually introduced the day before, but
it was assigned the number ‘HR 666’. Apparently this was considered a bad sign
by Congressman Barton so the bill was re-introduced today. To be fair, anything
that makes it hard for any member to vote for a bill is probably something to
be avoided.

The two cybersecurity bills will probably not receive
future mention here as I suspect that they are principally IT related bills.
Control system language could creep in though.

Wednesday, February 4, 2015

Today the DHS ICS-CERT published an updated version
of their advisory on the Network Time Protocol vulnerabilities. This is a
fairly extensive update with five separate areas of the advisory being revised.
The revisions deal with:

● The scope of the
covered systems;

● The scope of the vulnerabilities;

● Additional background
information;

● Additional mitigation
information; and

● A link to a new
document on best practices for using time reference services.

Scope
Changes

ICS-CERT acknowledges in this new version that a
number of vendor systems will be affected by this open source vulnerability.
They note that they are working with vendors to determine which systems are
specifically vulnerable. They will be publishing a supplement to this advisory
that provides additional information on affected systems and unique mitigation
measures.

In a rather unusual move ICS-CERT has added two new
vulnerabilities to this advisory. They are:

This best
practices document is interesting in a lot of ways. First off it has no
organizational markings on it and it is prominently labeled “Unclassified”.
This kind of leads me to believe that it may be a military document. There is a
reference on page one to notifying the Coast Guard in case of a problem with a
GPS signal.

About half of the document deals with GPS issues,
about 1/3 deals with NPT issues and the remaining space is taken up with a
discussion of Cessium clock issues and Time and Frequency Distribution System
considerations.

Systemic
Issues

We are seeing an increasing number of systemic vulnerabilities
in industrial control systems that affect products from a number of vendors.
These type issues make it easier for a serious attacker to develop tools that
would be effective across a wide range of control system platforms. This would
make things easier for people developing cyber-warfare weapons. A pretty sound argument
could be made that a large portion of the ICS-CERT assets should be focused on
these types of issues. Advisories of this sort (and the promised future updates
and supplements) show that ICS-CERT is taking this type of issue seriously.
Whether it is seriously enough, only time will tell.

About Me

Patrick Coyle is a freelance writer dealing with chemical security and safety issues. He has 15 years experience in the US Army with extensive experience in training development, delivery and evaluation. He spent 20 years working in the chemical process industry developing and improving chemical manufacturing processes with a large emphasis on chemical and process safety. He currently writes a daily blog, the Chemical Facility Security News, examining the issues associated with the Chemical Facility Anti-Terrorism Standards administered by the Department of Homeland Security.